05-23-2007 12:01 PM - edited 03-05-2019 04:15 PM
I'm attempting to setup my wireless to allow guest access. I've gotten my AP setup with two VLANs 40 and 41. 40 will be used by internal users and 41 will be for vendors, consultants etc. I have a Cisco 3560 L3 switch that I'll be configuring. I'm wanting to block access to all my network servers and such for those users on the 41 subnent, however I do want them to have access to the Interent. I'm having some issue with putting together the correct ACL for this because the 41 users will need to use DNS, and obtain a DHCP address to get to the Internet. The network servers are on Vlan 36.
Subnets: 192.168.36.0, 192.168.40.0, and 192.168.41.1
Thanks,
Bob
05-23-2007 12:20 PM
I have exactly the same scenario, here is the access list and the interface that I have the list applied to. I am only allowing this subnet access to obtain a DHCP address, DNS resolution and web access. I am also performing rate limiting so that users cannot monopolize Internet bandwidth
Access List
ip access-list extended guestvlan
permit udp any any eq bootpc
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
Interface application
interface GigabitEthernet6/0.100
description Guest VLAN
encapsulation isl 100
ip address 10.10.100.2 255.255.255.0
ip access-group guestvlan in
ip helper-address xxx.xxx.xxx.49
no ip redirects
rate-limit input 128000 256000 384000 conform-action transmit exceed-action drop
rate-limit output 128000 256000 384000 conform-action transmit exceed-action drop
mls rp ip
no snmp trap link-status
standby 100 ip 10.10.100.1
standby 100 timers 5 15
standby 100 priority 110
standby 100 preempt
05-24-2007 06:01 AM
Is this configuration from a router or a L3 switch. I'm a bit confused because I already have access to all network resources from my guest VLAN to my other vlans and I don't have any ACLs setup. Does the fact that I'm using a L3 switch make a difference? I've copied my current running config of my 3560 switch.
3560#show run
Building configuration...
Current configuration : 6798 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname 3560
!
enable secret xxx
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description Connection 2960-MDF1 Port G0/1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/2
description Conntection 2960-MDF2 Port G0/1
switchport trunk encapsulation dot1q
!
!
interface GigabitEthernet0/25
switchport access vlan 36
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
Description --- Wireless AP w VLAN 40 and 41
!
interface GigabitEthernet0/27
switchport access vlan 38
switchport mode access
spanning-tree portfast
!
!
interface GigabitEthernet0/45
switchport access vlan 36
switchport mode access
spanning-tree portfast trunk
!
interface GigabitEthernet0/46
description Connection 2960-IDF1 G 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet0/47
description Connection 2960-MDF1 G 0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/48
description Connection 2960-MDF2 G 0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
ip address x.x.1.1 255.255.255.0
!
interface Vlan36
ip address x.x.36.5 255.255.254.0
ip helper-address x.x.36.31
!
interface Vlan38
ip address x.x.38.1 255.255.255.0
!
interface Vlan39
ip address x.x.39.1 255.255.255.0
!
interface Vlan40
ip address x.x.40.1 255.255.255.0
ip helper-address x.x.36.31
!
interface Vlan41
ip address x.x.41.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.36.2
ip route x.x.12.0 255.255.254.0 x.x.36.2
ip route x.x.24.0 255.255.255.0 x.x.36.2
ip route x.x.36.0 255.255.255.0 x.x.36.2
ip route x.x.74.0 255.255.255.0 x.x.36.2
ip route x.x.4.0 255.255.255.0 x.x.36.2
ip route x.x.185.0 255.255.255.0 x.x.36.2
ip http server
!
!
control-plane
!
!
line con 0
password xxx
logging synchronous
login
line vty 0 4
password xxx
login
line vty 5 15
password xxx
login
!
end
3560#
05-24-2007 06:07 AM
Bob,
The configs posted above were from a router's sub-interface. You can configure the same ACL's and bind it to the Vlan41's interface. This should give you the desired results.
HTH,
-amit singh
05-24-2007 06:54 AM
That doesn't make sense to me because my vlan 41 already has "permit" access to those items by default, It works now with out any ACL "Permit" statements, why would this change when I add "permits" and not "denys".
Anyway I added the ACL as shown in the fisrt post, I've listed it below and now I can not obtain a DHCP address and when I staticly assign an IP address I can not access the Interent, where as before the ACL was applied I could.
Did I do this incorrectly?
interface Vlan41
ip address x.x.41.1 255.255.255.0
ip access-group guestvlan in
ip helper-address x.x.36.31
!
!
ip access-list extended guestvlan
permit udp any any eq bootpc
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
Thanks...
05-25-2007 11:17 AM
I think your:
permit udp any any eq bootpc
should be:
permit udp any eq bootpc any
Can you not access via name or ip or both? The rest of it should be good.
05-31-2007 07:58 AM
That seem to fix the DHCP issue, however I still can not access the Internet. I changed my other access list to match but still can not get out. I've copied the new config below. There is one thing to keep in mind, my Internet goes through a Proxy server, an ISA to be specfic. The IP is x.x.36.3 and when I attempt to ping that IP address from my laptop that has a 41.6 address I get dest. unreachable. If I do not apply the access-list to that vlan I can access the internet fine.
Any thoughts on what I'm missing?
interface Vlan41
ip address x.x.41.1 255.255.255.0
ip access-group guestvlan in
ip helper-address x.x.36.31
!
!
ip access-list extended guestvlan
permit udp any eq bootpc any
permit tcp any eq www any
permit tcp any eq 443 any
permit tcp any eq domain any
Thanks,
Bob
05-31-2007 10:30 AM
I believe I've figured this out. I added the following to my ACL and now I can access the Internet just fine.
permit tcp x.x.41.0 0.0.0.255 host x.x.36.3
If anyone has any other suggestions I should be concidering, please let me know.
Thanks,
Bob
12-17-2018 01:56 AM
Hi
i know this is an old post but i have the same issue and i have searched a lot but i couldn't find any thing
i have guest vlan 50 192.168.50.0/24
servers in subnet 172.20.1.0/24
and i want to allow from this range of servers (172.20.1.0/24) only
1-dhcp
2-dns,
3- other 4 servers using ports 443/80
then deny access to the rest of the servers in range 172.20.1.0/24
then permit access to internet or permit any any
so please your help , how should i do that without making any errors ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide